Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 552 - Logon attempt using explicit credentials [Win XP]
EventID 552 - Logon attempt using explicit credentials [Win XP]
Indicates that a user who is already logged on successfully created another logon session with different user's credentials.

Note:
This event is not logged on Windows 2000 systems.
Typically, this occurs when the user runs the RUNAS command and specifies a different set of credentials.

The Logged on user fields specify the user's original credentials.
The Caller Process ID field specifies the process that made the logon request with the new credentials.
The Source Network Address and Source Port fields specify the source IP address and source port number for the remote computer that sent the logon request, if applicable.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:


Windows 2003
Windows 2008
 Sample:
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Logon/Logoff
        Event ID:       552
        Date:           11/2/2009
        Time:           05:47:29
        User:           RESEARCH\CBrown
        Computer:       WST1
        Description:
        Logon attempt using explicit credentials:
        Logged on user:
        User Name:	CBrown
        Domain:		RESEARCH
        Logon ID:	(0x0,0x697DC)
        Logon GUID:	{dfeb6291-cc82-e563-8c57-a370dbf729a4}
        User whose credentials were used:
        User Name:	Paul
        Domain: 	RESEARCH
        Logon GUID: {f6956476-dd7a-df4a-1006-c2026f6e3cc3}
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows XP
Source Security
Category Logon/Logoff
EventId 552
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Domain Domain of the account for which logon is requested. InsertionString2 RESEARCH
User Name The account name of the logged on user InsertionString1 CBrown
Logon ID ID of the logon session of the logged on user. Useful for tracking other user activity within the same logon session. InsertionString3 (0x0,0x697DC)
Logon GUID A globally unique identifier of the logon. For logons that use Kerberos, the logon GUID can be used to associate a logon event on the computer where the logon was initiated with an account logon message on an authenticating computer, such as a domain controller. InsertionString4 {dfeb6291-cc82-e563-8c57-a370dbf729a4}
Target User Name Account name of the user whose credentials were used InsertionString5 Paul
Target Domain Domain of the user whose credentials were used InsertionString6 RESEARCH
Target Logon GUID Globally unique ID of the logon of the user whose credentials were used. Useful for correlating logon events on client computer and domain controller. InsertionString7 {f6956476-dd7a-df4a-1006-c2026f6e3cc3}
Comments
You must be logged in to comment